fixes for display and search privacy enforcement
This commit is contained in:
friendica
parent
3ff9642750
commit
956d275693
@ -302,16 +302,19 @@ function public_permissions_sql($observer_hash) {
|
||||
foreach($groups as $g)
|
||||
$gs .= '|<' . $g . '>';
|
||||
}
|
||||
$sql = sprintf(
|
||||
" OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
|
||||
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
||||
))
|
||||
",
|
||||
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
|
||||
dbesc($gs),
|
||||
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
|
||||
dbesc($gs)
|
||||
);
|
||||
$sql = '';
|
||||
if($observer_hash) {
|
||||
$sql = sprintf(
|
||||
" OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
|
||||
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
||||
))
|
||||
",
|
||||
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
|
||||
dbesc($gs),
|
||||
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
|
||||
dbesc($gs)
|
||||
);
|
||||
}
|
||||
|
||||
return $sql;
|
||||
}
|
||||
@ -424,6 +427,29 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
|
||||
$str .= ',';
|
||||
$str .= intval($rr);
|
||||
}
|
||||
logger('stream_perms_api_uids: ' . $str);
|
||||
return $str;
|
||||
}
|
||||
|
||||
function stream_perms_xchans($perms_min = PERMS_SITE) {
|
||||
$ret = array();
|
||||
if(local_user())
|
||||
$ret[] = get_observer_hash();
|
||||
$r = q("select channel_hash from channel where channel_r_stream <= %d",
|
||||
intval($perms_min)
|
||||
);
|
||||
if($r)
|
||||
foreach($r as $rr)
|
||||
if(! in_array($rr['channel_hash'],$ret))
|
||||
$ret[] = $rr['channel_hash'];
|
||||
|
||||
$str = '';
|
||||
if($ret)
|
||||
foreach($ret as $rr) {
|
||||
if($str)
|
||||
$str .= ',';
|
||||
$str .= "'" . dbesc($rr) . "'";
|
||||
}
|
||||
logger('stream_perms_xchans: ' . $str);
|
||||
return $str;
|
||||
}
|
||||
|
||||
@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) {
|
||||
}
|
||||
}
|
||||
if($r === null) {
|
||||
dbg(1);
|
||||
$r = q("SELECT * from item
|
||||
WHERE item_restrict = 0
|
||||
and mid = '%s'
|
||||
AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
|
||||
AND `item`.`deny_gid` = '' AND item_private = 0 )
|
||||
and uid in ( " . stream_perms_api_uids() . " ))
|
||||
and owner_xchan in ( " . stream_perms_xchans() . " ))
|
||||
$sql_extra )
|
||||
group by mid limit 1",
|
||||
dbesc($target_item['parent_mid'])
|
||||
);
|
||||
dbg(0);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -183,23 +183,37 @@ function search_content(&$a,$update = 0, $load = false) {
|
||||
|
||||
}
|
||||
|
||||
|
||||
$pub_sql = public_permissions_sql(get_observer_hash());
|
||||
|
||||
if(($update) && ($load)) {
|
||||
$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
|
||||
dbg(1);
|
||||
if($load) {
|
||||
$r = q("SELECT distinct mid, id as item_id from item
|
||||
WHERE item_restrict = 0
|
||||
AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
|
||||
OR ( `item`.`uid` = %d ))
|
||||
$sql_extra
|
||||
group by mid ORDER BY created DESC $pager_sql ",
|
||||
intval(local_user()),
|
||||
intval(ABOOK_FLAG_BLOCKED)
|
||||
|
||||
);
|
||||
dbg(0);
|
||||
if($load) {
|
||||
$r = null;
|
||||
|
||||
if(local_user()) {
|
||||
$r = q("SELECT distinct mid, item.* from item
|
||||
WHERE item_restrict = 0
|
||||
AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
|
||||
OR ( `item`.`uid` = %d ))
|
||||
$sql_extra
|
||||
group by mid ORDER BY created DESC $pager_sql ",
|
||||
intval(local_user()),
|
||||
intval(ABOOK_FLAG_BLOCKED)
|
||||
|
||||
);
|
||||
}
|
||||
if($r === null) {
|
||||
$r = q("SELECT distinct mid, item.* from item
|
||||
WHERE item_restrict = 0
|
||||
AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
|
||||
AND `item`.`deny_gid` = '' AND item_private = 0 )
|
||||
and owner_xchan in ( " . stream_perms_xchans() . " ))
|
||||
$pub_sql )
|
||||
$sql_extra
|
||||
group by mid ORDER BY created DESC $pager_sql"
|
||||
);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$r = array();
|
||||
@ -208,19 +222,17 @@ dbg(0);
|
||||
|
||||
if($r) {
|
||||
|
||||
$parents_str = ids_to_querystr($r,'item_id');
|
||||
dbg(1);
|
||||
$items = q("SELECT `item`.*, `item`.`id` AS `item_id`
|
||||
FROM `item`
|
||||
WHERE item_restrict = 0
|
||||
$sql_extra and parent in ( $parents_str ) "
|
||||
// intval($a->profile['profile_uid']),
|
||||
// dbesc($parents_str)
|
||||
);
|
||||
dbg(0);
|
||||
xchan_query($items);
|
||||
$items = fetch_post_tags($items,true);
|
||||
$items = conv_sort($items,'created');
|
||||
// $parents_str = ids_to_querystr($r,'item_id');
|
||||
|
||||
// $items = q("SELECT `item`.*, `item`.`id` AS `item_id`
|
||||
// FROM `item`
|
||||
// WHERE item_restrict = 0
|
||||
// $sql_extra and parent in ( $parents_str ) "
|
||||
// );
|
||||
|
||||
xchan_query($r);
|
||||
$items = fetch_post_tags($r,true);
|
||||
// $items = conv_sort($items,'created');
|
||||
|
||||
} else {
|
||||
$items = array();
|
||||
|
||||
Reference in New Issue
Block a user